Protected Data: Best Practices to Prevent Unintended Disclosures by Remote Workers

Following the Covid-19 pandemic, many employers were faced with the decision to continue allowing their employees to work remotely or to ask them to return onsite (or to work a hybrid schedule). According to research done by Gartner, two-thirds of job candidates working onsite would prefer to work in a hybrid or remote model, and 97% of hybrid and remote workers prefer to continue working in these models¹.

While little has changed in the corporate environment with regard to the protection of data, the current number of remote workers and their continued desire to work remotely poses an increased number of security and privacy threats for public sector organizations. Specifically, lost or stolen equipment, malicious employees selling information for personal gain, and unintended disclosures are going to increase in the remote employee environment. Organizations can cover the lost or stolen equipment scenario by beefing up their mobile equipment policies and putting more onus on the employee for reimbursing the cost of lost/stolen equipment. Making employees aware of the state, local and Federal laws related to information theft, should also deter many employees from such activities. But how should they protect data from unintended disclosure from other threats that they cannot see or verify?

For example, we would never consider our family members or people we live with to be a danger to data disclosures because we trust them. However, consider a family member walking by your work area in the home and seeing a celebrity’s health record and then discussing what they saw, socially. There may not be any malicious intent, but this is still a disclosure. Other possibilities for unintended disclosures include accidental posting of protected information to public websites, and the use of unapproved transfer and storage methods such as cloud storage drives, or email (company to personal and vice versa), or even photos of the data taken with a cell phone.

Here are some ways to further protect your data under the remote workspace scenario:

• Inventory protected data. The best step in protecting anything is knowing you have it.
• Audit all access attempts, successful and failed. This will provide a window of who is using the data and -where- they are accessing it from. Some controls require that any access of protected data has an audit trail that spans from request to destruction. This is a good best practice solution. These logs should be kept for a minimum retention time in case further investigation is needed.
• Employ hardware and software privacy screens to discourage picture taking and innocent shoulder surfing.
• Prevent access from inside the corporate network to common cloud drives and email providers such as Gmail and OneDrive.
• VPN and encrypted transfer are not enough on their own. Make it a practice to encrypt the data prior to transfer. This can be done as easily as an encrypted zip file. This ensures the data is always encrypted, no matter if in transit or at rest.

This is just a small subset of the risks presented to protected data by remote work. A full inventory should be considered and addressed through corporate policy, procedure and practice. For more information on security and privacy risks contact Infosys at askus@infosyspublicservices.com

Also Read: The Remote Caseworker Conundrum

Author Details

Christopher Lubrecht, Lead Consultant, CISSP, CDPSE

Christopher has over 20 years of experience in delivering all aspects of Information Security, with a specialization in Compliance and Risk Management in the healthcare industry. With a diverse educational background ranging from Education in Secondary Schools to Theater, he is an example of a self-taught IT professional. Christopher started his career as a Technical Support agent, progressing to Network Engineering and System Administration, and eventually finding purchase in Information Security. Christopher currently holds the Certified Information Systems Security (CISSP) and Certified Data Privacy Engineer Solutions Engineer (CDPSE) certifications.